WIP sops for Lilim -> enable pure eval.

2023-04-15 16:27:27 +02:00 · 2023-04-15 16:27:27 +02:00 · 908b709439
commit 908b709439
parent b37af57fd5
6 changed files with 67 additions and 7 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,10 @@
 keys:
  - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
  - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
 creation_rules:
  - path_regex: machines/Lilim/[^/]+.yaml$
    key_groups:
    - pgp:
      - *admins
      age:
      - *lilim
--- a/config/nix.nix
+++ b/config/nix.nix
@ -14,7 +14,8 @@ in {
      trusted-substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
-      trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
+      # TODO: integrate into sops
      # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
      substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
--- a/config/users.nix
+++ b/config/users.nix
@ -7,7 +7,7 @@ let
    name = user.name;
    value = let
      cfg = config.services;
-      passPath = "${config.machine.secretPath}/${user.name}";
+      passPath = config.sops.secrets."users/${user.name}/password".path;
    in {
      isNormalUser = true;
      name = user.name;
@ -22,9 +22,10 @@ let
        ++ (optional config.virtualisation.docker.enable "docker");
      shell = "${pkgs.zsh}/bin/zsh";
      passwordFile = passPath;
-      openssh.authorizedKeys.keyFiles = optional
+      # TODO: Fix for sops
-        (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
+      # openssh.authorizedKeys.keyFiles = optional
-        "${passPath}.pub";
+      #   (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
      #   "${passPath}.pub";
    };
  };
@ -36,7 +37,6 @@ let
       members = [ user.name ];
     };
   };
 in {
  users = {
    mutableUsers = false;
--- a/flake.nix
+++ b/flake.nix
@ -22,7 +22,7 @@
      name = machine;
      value = let
        machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine];
-        machineFiles = fn.lst { p = machinePath; b = true; };
+        machineFiles = lib.filter (name: lib.strings.hasSuffix ".nix" name) (fn.lst { p = machinePath; b = true; });
      in nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = attrs;
--- a/machines/Lilim/secrets.yaml
+++ b/machines/Lilim/secrets.yaml
@ -0,0 +1,36 @@
 users:
    derped:
        password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
        mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV
            ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM
            VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ
            MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf
            S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-04-16T08:54:15Z"
    mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str]
    pgp:
        - created_at: "2023-04-16T11:36:28Z"
          enc: |
            -----BEGIN PGP MESSAGE-----
            hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w
            SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo
            1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL
            Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx
            Id/w9ez1/+cpfA==
            =seBV
            -----END PGP MESSAGE-----
          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/machines/Lilim/sops.nix
+++ b/machines/Lilim/sops.nix
@ -0,0 +1,13 @@
 { config, lib, ... }:
 {
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age = {
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
    # TODO: auto loop over users
    secrets."users/derped/password".neededForUsers = true;
  };
 }